DOD's 2023 cyber strategy — what we know and what we need

U.S. Cyber Command Headquarters in Ft. Meade, Md.

U.S. Cyber Command Headquarters in Ft. Meade, Md. Saul Loeb/AFP via Getty Images

Featured eBooks
Space Tech
Read Now

CDM

Read Now

Digital Transformation

Read Now
By Sam Kinch,
Director, technical account management, Tanium

By Sam Kinch

|

COMMENTARY | Russia's invasion of Ukraine has provided us a blueprint for what modern warfare will look like for the foreseeable future — and the role of cybersecurity plays on offense and on defense.

The Defense Department's classified cybersecurity strategy was released to Congress this May. An unclassified summary is still in the works, but an unclassified fact sheet notes that the unfolding events in Ukraine are a key component of the Pentagon's plans for proactively disrupting malicious cyber activity before it hits U.S.-based networks – the "defend forward"  strategy in place since 2018. 

A key component of the strategy is an approach called  "Defend the Nation," which states that the Department will campaign in and through cyberspace to generate insights about malicious cyber actors, as well as aggressively counterattack in the cyber realm to disrupt and degrade these actors' capabilities and supporting ecosystems. Additionally, DOD will work with its interagency partners to improve the cyber resilience of U.S. critical infrastructure and to counter threats to military readiness. This part of the strategy is foundational and it will take public and private sector leaders working together to fight off the day-to-day probing and assault on our networks. 

U.S. Cyber Command is getting more authority over its own budget to execute on these strategies —  beginning in fiscal year 2024 the command's spending authority jumps from $75 million to $3.2 billion, allowing for the creation of internal acquisition programs aligned to the department's cyber strategy. 

In March, U.S. Cybercom commander Gen. Paul Nakasone told Congress that enhanced budgetary control "gives USCYBERCOM the ability to directly allocate resources for greater efficiencies during the department's programming phase, and make sure they remain aligned with priorities through execution." 

One element that's not explicitly spelled out is that our government will also need to ensure the best technologies are integrated in a vendor in-depth approach — the idea being that if one technology vendor misses a cyberattack or instance of malware, another will catch it. While putting all your eggs in one basket is simpler to manage, having multiple solutions integrated with one another significantly strengthens our defense.  As stated in the 2023 National Cybersecurity Strategy, "the American people must have confidence in the availability and resilience of this infrastructure and the essential services it provides."

Effects on industry

Cyber Command's enhanced budget authority will not immediately change how money is spent in the near term. According to Michael Clark, previous director for cyber acquisition and technology at Cyber Command, the department doesn't want to "break good." However, the cybersecurity industry should be cognizant that offices will report up to Cyber Command as opposed to their service-specific program executive offices or chains of command moving forward. With the purse-holder now changing, that will require new relationships and office engagements. 

Cyber Command also continues an active industry engagement effort through programs like Under Advisement where it establishes intel exchange relationships with cybersecurity-focused industry partners. Additionally, a highly successful U.S. ally and partner activity continues under their conduct of hunt-forward operations, which involves physically sending defensively oriented cyber protection teams from the U.S. Cyber Command's Cyber National Mission Force to foreign nations at their invitation to look for malicious activity on their network. These activities build foreign nation-state relationships, identify malicious cyber actor tactics, techniques, and procedures, and ultimately improve our national cyber defense posture.

Securing networks and infrastructure

There are two main growth areas that will be paramount for robust security for our networks and infrastructure. 

First, we need more talent. This has been an ongoing issue that our industry has tried to solve but has struggled to get ahead of as attacks increase in sophistication and frequency. Even before the establishment of US Cyber Command, our nation recognized the need for highly skilled, motivated, and patriotic cyber forces. 

Secondly, to secure infrastructure, we need to maintain basic cyber hygiene on our networks. Cyber Command and the Department of Homeland Security continue to build relationships across critical sectors needed to secure our networks and infrastructure. Efforts include DHS' Joint Cyber Defense Collaboration and NSA's Cybersecurity Collaboration Center. While these collaborative efforts are essential, the fundamental means of exploitation still resides in the failure to meet cyber hygiene minimums. For example, we must know every endpoint/device on the network, fully patch systems immediately, require/manage multi-factor authentication and complex passwords, continually review users/groups, and be prepared to immediately respond to any unique indicator of compromise. Anything short of that opens the door for potential attacks.

Even though the 2023 DOD Cyber Strategy is classified, it's clear which elements will be most important and the areas they need to get right. Russia's invasion of Ukraine has provided us a blueprint for what modern warfare will look like for the foreseeable future, and as such, we need to continue improving our national cyber defense posture to ensure we remain protected. 

An influx in funding granted to U.S. Cyber Command this year will reinforce existing capabilities in the short term and open the door to Cyber Command having more control of acquisitions moving forward. That, paired with greater public and private sector collaboration and the necessary fail-safes are great steps in the right direction. However, we need to continue developing our cyber talent and maintain basic cyber hygiene. If we fail to properly address these two foundational issues, nothing else will matter.

NEXT STORY: The future of CDM is in data governance, proactive threat detection

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.